[hub]

## Basic options ##
DBName = koji
DBUser = koji
{% if env == "staging" %}
DBHost = db-koji01
LogLevel = koji:INFO koji-fedmsg-plugin:INFO
LogFormat = %(asctime)s [%(levelname)s] m=%(method)s u=%(user_name)s p=%(process)s r=%(remoteaddr)s %(name)s: %(message)s
DBPass = {{ kojiStgPassword }}
{% else %}
DBHost = db-koji01
DBPass = {{ kojiPassword }}
{% endif %}
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
{% if env == "staging" %}
ProxyPrincipals = modularity@STG.FEDORAPROJECT.ORG,HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG,sigul/sign-bridge01.stg.iad2.fedoraproject.org@STG.FEDORAPROJECT.ORG
{% else %}
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.iad2.fedoraproject.org@FEDORAPROJECT.ORG
{% endif %}
KojiDir = /mnt/koji
MemoryWarnThreshold = 10000
MaxRequestLength = 167772160
RLIMIT_AS = 10737418240
CheckClientIP = False

# Kerb auth
{% if env == "staging" %}
HostPrincipalFormat = compile/%s@STG.FEDORAPROJECT.ORG
{% else %}
HostPrincipalFormat = compile/%s@FEDORAPROJECT.ORG
{% endif %}
AuthKeytab = /etc/koji-hub/koji-hub.keytab

##  SSL client certificate auth configuration  ##
#note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)

## the client username is the common name of the subject of their client certificate
DNUsernameComponent = CN
## separate multiple DNs with |
ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US

## end SSL client certificate auth configuration



##  Other options  ##
LoginCreatesUser = On
KojiWebURL = http://koji.fedoraproject.org/koji
# The domain name that will be appended to Koji usernames
# when creating email notifications
EmailDomain = fedoraproject.org
# Disable sending all notifications from koji, people need to use FMN now
DisableNotifications = True

## If KojiDebug is on, the hub will be /very/ verbose and will report exception
## details to clients for anticipated errors (i.e. koji's own exceptions --
## subclasses of koji.GenericError).
# KojiDebug = On

## If MissingPolicyOk is on, and given policy is not set up,
## policy test will pass as ok. If 'deny' result is desired, set it
## to off
# MissingPolicyOk = True
MissingPolicyOk = False

## Determines how much detail about exceptions is reported to the client (via faults)
## Meaningful values:
##   normal - a basic traceback (format_exception)
##   extended - an extended traceback (format_exc_plus)
##   anything else - no traceback, just the error message
## The extended traceback is intended for debugging only and should NOT be
## used in production, since it may contain sensitive information.
# KojiTraceback = normal

## These options are intended for planned outages
#ServerOffline = True
#OfflineMessage = Offline
#LockOut = True
#OfflineMessage = 'koji is being migrated to a new datacenter'
## If ServerOffline is True, the server will always report a ServerOffline fault (with
## OfflineMessage as the fault string).
## If LockOut is True, the server will report a ServerOffline fault for all non-admin
## requests.

#Plugins = koji-disable-builds-plugin
#Plugins = darkserver-plugin
Plugins = osbuild fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag_hub save_failed_tree

[policy]

tag =
    user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign fwupd fwupd-efi:: allow
    user bodhi && tag *-override && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    has_perm secure-boot && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    # CoreOS continuous builds, https://pagure.io/releng/issue/8165
    operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow
    operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow
    # CoreOS coreos-pool and intermediate signing tags as well
    # as the coreos-release tag. https://pagure.io/releng/issue/8294
    operation tag && tag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
    operation untag && fromtag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
    # eln builds, https://pagure.io/releng/issue/9538
    operation tag && tag eln* && has_perm eln :: allow
    operation untag && fromtag eln* && has_perm eln :: allow
    # deny tagging secureboot packages that are not related to coreos-continuous and eln
    package kernel shim grub2 pesign fwupd  fwupd-efi :: deny
# Allow people to tag stuff into infra-candidate if they're infra
    tag *-infra-candidate && has_perm infra :: allow
    tag *-infra-candidate :: deny
# Allow people from infra to promote builds from -infra-stg to -infra tags
    tag *-infra && fromtag *-infra-stg && has_perm infra :: allow
# These two rules makes sure people can't build srpms in infra tags and tag them into distribution tags
    tag *infra* && fromtag *infra* && has_perm infra :: allow
    fromtag *infra* :: deny
    all :: allow

channel =
    method newRepo distRepo buildSRPMFromSCM :: use createrepo
    method buildContainer :: use container
    has req_channel && has_perm customchannel :: req
{% if env == 'staging' %}
    # kojid-cloud-scheduler tag setup for stg env only
    tag buildaws && fromtag buildaws && method build :: use buildaws
{% endif %}

#we want pesign-test-app to always go to the secure-boot channel even for scratch builds
    source */pesign-test-app* && has_perm secure-boot :: use secure-boot
#make sure all scratch builds go to default channel
    method build && bool scratch :: use default

#policys to deal with secure boot allowing only people in the secure-boot group to build the packages
    source */kernel* && has_perm secure-boot :: use secure-boot
    source */shim* && has_perm secure-boot :: use secure-boot
    source */grub2* && has_perm secure-boot :: use secure-boot
    source */pesign* && has_perm secure-boot :: use secure-boot
    source */fwupdate* && has_perm secure-boot :: use secure-boot
    source */fwupd* && has_perm secure-boot :: use secure-boot
    source */fwupd-efi* && has_perm secure-boot :: use secure-boot

# set this package to use the 'heavybuilder' channel. Note that this is NOT good for most anything.
# It just happens to be for this particular package. Please check before adding anything here, you could
# cause it to end up building a lot slower.
    source */chromium* :: use heavybuilder

    is_child_task :: parent
    all :: use default


build_from_srpm =
    has_perm admin :: allow
    tag *-infra-candidate && has_perm infra :: allow
    all :: deny


# Policy for manipulating package lists for tags.
package_list =
    # Removing packages is almost always a mistake, so deny it.
    # Admins can still override this with --force, if necessary.
    match action remove :: deny
    # Admins can do pretty much everything.
    has_perm admin :: allow
    # People with pkglist permission can manage package lists in
    # active f$N and epel$N tags.
    has_perm pkglist :: {
        # Rawhide and epel7: adding, unblocking and blocking is allowed.
        tag f{{FedoraRawhideNumber}} epel7 && match action add unblock block :: allow
        # In branched blocking is allowed only before final freeze.
        tag f{{FedoraBranchedNumber}} && match action add unblock {{ 'block' if not Frozen or FedoraBranchedBodhi != 'postbeta' else '' }} :: allow
        # Stable releases: only adding and unblocking is allowed.
        tag f{{FedoraCycleNumber}} f{{FedoraPreviousCycleNumber}} && match action add unblock :: allow
    }
    # Infra people can themselves add/block/unblock packages in their
    # tags without bothering admins.
    tag *infra* && has_perm infra && match action add unblock block :: allow
    # CoreOS continuous builds, https://pagure.io/releng/issue/8165
    tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous && match action add unblock block :: allow
    # CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
    tag coreos-pool coreos-release && has_perm coreos-continuous && match action add unblock block :: allow
    # Allow people to manage their side tags, https://pagure.io/releng/issue/9229
    is_sidetag_owner && match action add update remove unblock block :: allow
    # Catch-all rule.
    all :: deny

sidetag =
    tag f38-build :: allow
    tag f37-build :: allow
    tag f36-build :: allow
    tag f35-build :: allow
    tag eln-build :: allow
    tag epel9-next-build :: allow
    tag epel9-build :: allow
    tag epel8-next-build :: allow
    tag epel8-build :: allow
    tag epel7-build :: allow
    all :: deny
